[Snort-users] dual nic, was: flex response and cisco span por ts

Burleson, Lee (IA) Lee.Burleson at ...1358...
Wed Jan 2 16:08:04 EST 2002


Byron -

Try unbinding TCP/IP from the non-admin interface(s).  You will need the
latest version of WinPCap to do this.  I have this running successfully in
my environment on several sensors now.

Big smiles to those guys in Italy for that improvement.

HTH.

- Lee

> -----Original Message-----
> From: Byron [mailto:snail945 at ...131...]
> Sent: Wednesday, January 02, 2002 14:13
> To: John Roberds
> Cc: snort-users at lists.sourceforge.net; tyler at ...4440...
> Subject: Re: [Snort-users] dual nic, was: flex response and cisco span
> ports
> 
> 
> all-
> 
> I'm using a dial nic setup as mentioned a few times in this 
> thread.  I also
> have had issues where packets tried to leave off of the snort 
> interface when
> i only want them to be routed out the administrative nic on a 
> separate vlan
> as defined by the cisco 6509.  Usually this only happened if the admin
> interfaces went down for some reason.
> 
> On windows 2000, how can i allow snort to listen on one nic 
> and not have an
> ip assigned to this nic?  I'd like to avoid having a second 
> default gateway
> in the local routing table.  I only want a default gateway 
> route for the
> administrative LAN.
> 
> thx!
> ----- Original Message -----
> From: "John Roberds" <roberdsj at ...4446...>
> Cc: <snort-users at lists.sourceforge.net>; <tyler at ...4440...>
> Sent: Wednesday, January 02, 2002 10:42 AM
> Subject: Re: [Snort-users] flex response and cisco span ports
> 
> 
> >
> > tf,
> >
> > The Cisco switches Steve mentions here are both IOS based
> > switches that by default permit the type of rx/tx on the 
> administrative
> > port by default.  My guess is that you may be using a CLI 
> ("set") based
> > switch like the 4K,5K,& 6K family.  I would try the 
> additional parameters
> > inpkts enable on the span setup.  e.g.
> >
> > 6506(enable)# set span 4/40 4/41 both inpkts enable
> >
> > This should do what you want for the single interface 
> solution.  However,
> > I like the two interface concept to facilitate an 
> independent enterprise
> > wide vlan to collect data.
> >
> > Good luck,
> >
> > JR
> >
> > Graeme Fowler wrote:
> > >
> > > tf wrote:
> > >
> > > > When snort has to respond [ie, send RST packets] I assume it
> > > > sends them out the interface it is listening on?
> > > > How does this work when monitoring a cisco switched network?
> > > > Once I make a port a monitor port, it is read-only and nothing
> > > > can be sent out on it, so what I've done in the past is put 2
> > > > interfaces on my snort sensors.  One is a listener, the other
> > > > is the "management" port that I ssh to, etc, etc.
> > >
> > > In my experience, this is wrong on both counts. I have 
> successfully used
> > > real live machines (both by accident *and* by design; 
> long story) with
> real
> > > live IP addresses plugged into a Cisco SPAN (port mirror, 
> monitoring,
> call
> > > it what you will) port on Catalyst 2924XL and 3524/3548XL 
> switches. It
> can
> > > make emergency oh-my-god-everything-broke situations a little more
> bearable
> > > if you can sniff *and* make external connections thru the 
> same NIC,
> > > especially when you have a laptop with a single 
> interface... and you
> need to
> > > just dig that MAC address out of that remote database 
> which is not on
> your
> > > laptop!
> > >
> > > > So I guess my question is this.. Can I make the sensor send it's
> > > > flex-response packets out the 'mgmt' port instead?  Surely
> > > > there are other people with an environment like this [snort,
> > > > cisco catalyst switches, flex-response] .. What's everyone else
> > > > doing?
> > >
> > > As far as I'm aware, snort chucks its' flexresp packets 
> out via *the
> default
> > > gateway* therefore it spits them out thru whatever interface your
> default
> > > route points at.
> > >
> > > YMMV obviously, but as far back as the initial implementations of
> flexresp
> > > snort didn't do anything too fancy, just generated the packets and
> dropped
> > > them on the IP stack for the kernel to handle as it 
> pleased. I'm not too
> > > proud to stand corrected, mind you!
> > >
> > > Graeme
> > > --
> > > Graeme Fowler
> > > System Administrator
> > > Host Europe Group PLC
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list